SlideShare a Scribd company logo

Bringing Government and Enterprise Security Controls to the Android Endpoint

Hamilton Turner
Hamilton Turner

Why are endpoint security controls on Android devices so lacking when compared to their laptop counterparts? What are the technical challenges to securing Android, and what should you be aware of before signing onto an MDM platform claiming to add security to your business devices.

Technology
1 of 24
Download to read offline
Optio is a subsidiary of Allied Minds, an innovative U.S. science and technology development and commercialization company. Operating since 2006, Allied Minds forms, funds, manages and builds products and businesses based on innovative technologies developed at leading U.S. universities and federal research institutions. Allied Minds serves as a diversified holding company that supports its businesses and product development with capital, central management and shared services. More information about the Boston-based company can be found at www.alliedminds.com. Bringing Enterprise and Government Security Controls to the Android Endpoint March 2016 Dr. Hamilton Turner Senior Director of Engineering & Research
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. About Me • Working with Android for ~7 years • Doctorate from Virginia Polytechnic with specialization in optimizing and securing mobile cloud computing systems • Senior Director of Engineering and Research – Responsible for all research initiatives – Advisor on engineering initiatives in a planning and software quality control standpoint – Lead software developer on multiple projects 2
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Presentation Overview • How should a smartphone be secured? • How are smartphones being secured? • Why are security controls on smartphones lagging behind security controls on laptops? • Our approach to improving Android security 3
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. 6 How should a smartphone be secured? Android is a huge, complex codebase – Changing code adds bugs – Changing code is costly – Too many code modifications will eventually cause project failure Automation helps, but… – Often it just helps you break more in less time
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Common Enterprise Smartphone Controls • App wrapping – Proxy all app communication through a ‘security’ layer • Containerization – Create one ‘secure sandbox’ shared by all enterprise apps • Device administration APIs – Ask system to enforce security for you • Mobile Device Management – A collection of these technologies (not actually a security technology) 7
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Application Wrapping 8 • Goal: Intercept every method call the application could use to interact with the system – Add a ‘decision’ to each – Choose to block/allow/modify each interaction • No system modifications Non-wrapped Android Apps
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Application Wrapping 9 • Goal: Intercept every method call the application could use to interact with the system – Add a ‘decision’ to each – Choose to block/allow/modify each interaction • No system modifications Wrapped Android Apps
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Application Wrapping 10 • Large maintenance burden – Every single version – of every single app – must be wrapped • “Escaping” is fairly easy – Exec / Java Reflection – Unprotected NDK interfaces – Symbolic links in filesystem – Internal components e.g. web views • ‘Security feature’ is inside the sandbox – app can modify! • Offers no protection inside the OS – Once data leaves sandbox, it’s gone
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Containerization • Natural extension of app wrapping – Most solutions today operate in app sandbox – Notable exceptions are Android For Work-based implementations • Adds some shared information into the wrapping logic – Security keys for data de/encryption – Policy decision-making across entire phone – User accounts, single-sign on, etc 11
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Containerization • Natural extension of app wrapping – Inherits concerns about: • Large maintenance overhead • Escaping security is fairly easy • Security is not independent from apps being secured • Increased maintenance overhead – Every version of every app must be wrapped with the correct container version • Improvement: Does offer some protection from leaky OS 12
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Device Administration APIs • Too simple to cover many use cases – password length – screen lock – require encrypted filesystem • No app-specific protections – Once app is installed to ‘managed’ phone, it has full access to managed data • No protection from misbehaving system 13
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. 14 How should a smartphone be secured? Android is a huge, complex codebase – Changing code adds bugs – Changing code is costly – Too many code modifications will eventually cause project failure Automation helps, but… – Often it just helps you break more in less time
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. 15 How are smartphones being secured? Device Admin API App Wrapping Containerization
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Existing Smartphone Controls • Large market opportunity and multiple competing solutions, but existing solutions are all limited – Not as reliable as traditional laptop controls – Not as powerful – Not as user-friendly • Why? – Android systems are designed from the bottom-up to have excellent inter-application communication, and it is widely used 16
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Data Flows: Android versus Laptop • Data flow on a laptop is strongly tied to the original application – E.g. very few apps on the system understand “powerpoint” files • Data passing between apps goes through the system in a well-understood format – E.g. files • Very few applications “cross-talk” – E.g. the browser can download files for you, but it cannot specifically pass Spotify a message to “favorite this file I am downloading” 17
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Data Flows: Android versus Laptop • Data on a mobile tends to ‘disperse’ – Android is designed to pass information and commands app- to-app – Multiple 3rd-party apps have built entire command/data pathways • E.g. http://www.openintents.org/, custom URL schemes (whatsapp://), standard filesystem on shared external storage • Data passing between apps goes through the system in many formats – “Standardized” Intents, non-standard intents, filesystem, network sockets, parent process sharing, broadcasts, content providers, tunneled data inside other formats • Most applications “cross-talk” – Almost every application can “share” to a large number of other apps – With a few lines of code, apps can send data via Bluetooth, email, sms, clipboard, QR code, and multiple well-known network apps 18
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Data flows inside Android • Even inside the OS • Protecting app-to-app communication is not enough! – Must protect against leaks inside the system 19
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. How should Android be secured? • Intersection points of ‘few code changes’ and ‘big impact’ – Network access – Disk access – Inter-process communication • The first two are already addressed • The underlying IPC system on Android is pervasively used – By app-to-app communication – By app-to-system communication – By system-to-system communication • Adding security to this mechanism is a win! 20
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. 21 Benefits of securing Android IPC • Extremely powerful modification – Almost all inter-application communication – Huge portion of communication between Android and apps • Completely invisible to existing code • Very small impact on existing codebase – No new bugs being introduced • Resistant to future changes OptioCore
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Example: Stagefright via MMS • Vector originates in system • Some MMS apps were vulnerable, some were not – Auto-download MMS settings • By blocking the dangerous IPC to vulnerable apps, we – Prevent the immediate threat – Buy reaction time for an OTA – Protect users from a bug in the system itself 22 SMS RIL MediaServer OMX
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. OptioCore
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. OptioInsight o Deep visibility into security threats o Cross-platform security analytics o Rapid, actionable threat response o Agile security policy management o Enterprise user management o Security reporting
CONFIDENTIAL. ALL RIGHTS RESERVED. Optio is a subsidiary of Allied Minds, an innovative U.S. science and technology development and commercialization company. Operating since 2006, Allied Minds forms, funds, manages and builds products and businesses based on innovative technologies developed at leading U.S. universities and federal research institutions. Allied Minds serves as a diversified holding company that supports its businesses and product development with capital, central management and shared services. More information about the Boston-based company can be found at www.alliedminds.com. Thanks! Come visit OptioLabs in Booth #5145
CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. OptioLabs Company OptioLabs is a security insight platform for the mobile enterprise. Mission Secure the mobile enterprise with solutions that adapt to threats in real time.

Recommended

Cybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentCybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentHamilton Turner
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Trends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and ArtifactsTrends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and ArtifactsCellebrite
 

Recommended

Cybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentCybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentHamilton Turner
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Trends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and ArtifactsTrends in Mobile Device Data and Artifacts
Trends in Mobile Device Data and ArtifactsCellebrite
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
 
3 florin coada - sast in the days of dev ops
3 florin coada - sast in the days of dev ops3 florin coada - sast in the days of dev ops
3 florin coada - sast in the days of dev opsIevgenii Katsan
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Priyanka Aash
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of ThingsBryan Len
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Track f evolving trusted platforms - arm
Track f evolving trusted platforms - armTrack f evolving trusted platforms - arm
Track f evolving trusted platforms - armchiportal
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Phone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyPhone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyDavid Rogers
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M SecurityYu-Hsin Hung
 
IoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsIoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsKenny Huang Ph.D.
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 

More Related Content

What's hot

Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
 
3 florin coada - sast in the days of dev ops
3 florin coada - sast in the days of dev ops3 florin coada - sast in the days of dev ops
3 florin coada - sast in the days of dev opsIevgenii Katsan
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Digital Bond
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Priyanka Aash
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Tom Gersic
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of ThingsBryan Len
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Track f evolving trusted platforms - arm
Track f evolving trusted platforms - armTrack f evolving trusted platforms - arm
Track f evolving trusted platforms - armchiportal
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Digital Bond
 
Phone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyPhone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyDavid Rogers
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...eightbit
 

What's hot (20)

Mobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
 
3 florin coada - sast in the days of dev ops
3 florin coada - sast in the days of dev ops3 florin coada - sast in the days of dev ops
3 florin coada - sast in the days of dev ops
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)Hijacking a Pizza Delivery Robot (using SQL injection)
Hijacking a Pizza Delivery Robot (using SQL injection)
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013Security Best Practices for Mobile Development @ Dreamforce 2013
Security Best Practices for Mobile Development @ Dreamforce 2013
 
Iot Security, Internet of Things
Iot Security, Internet of ThingsIot Security, Internet of Things
Iot Security, Internet of Things
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Ryan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT SecurityRyan Wilson - ryanwilson.com - IoT Security
Ryan Wilson - ryanwilson.com - IoT Security
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day Conference
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Track f evolving trusted platforms - arm
Track f evolving trusted platforms - armTrack f evolving trusted platforms - arm
Track f evolving trusted platforms - arm
 
Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)Internet Accessible ICS in Japan (English)
Internet Accessible ICS in Japan (English)
 
Phone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden historyPhone Hacking: A lucrative, but largely hidden history
Phone Hacking: A lucrative, but largely hidden history
 
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
Online Retailer's Conference 2013 - Hacking Mobile Applications - Industry Ca...
 
IoT/M2M Security
IoT/M2M SecurityIoT/M2M Security
IoT/M2M Security
 

Similar to Bringing Government and Enterprise Security Controls to the Android Endpoint

IoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsIoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsKenny Huang Ph.D.
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile ApplicationsDenim Group
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTechWell
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015Francisco Anes
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile AppsDenim Group
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Security
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...IBM Security
 
Transforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsTransforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsBlueboxer2014
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsBitbar
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Mobile app testing
Mobile app testingMobile app testing
Mobile app testingsanpalan
 

Similar to Bringing Government and Enterprise Security Controls to the Android Endpoint (20)

IoT Security and Privacy Considerations
IoT Security and Privacy ConsiderationsIoT Security and Privacy Considerations
IoT Security and Privacy Considerations
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
Tips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile AppsTips and Tricks for Building Secure Mobile Apps
Tips and Tricks for Building Secure Mobile Apps
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011Symantec Mobile Security Whitepaper June 2011
Symantec Mobile Security Whitepaper June 2011
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015SecurityWhitepaper 7-1-2015
SecurityWhitepaper 7-1-2015
 
Designing Secure Mobile Apps
Designing Secure Mobile AppsDesigning Secure Mobile Apps
Designing Secure Mobile Apps
 
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
IBM Mobile Security: A Comprehensive Approach to Securing and Managing the Mo...
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
5 Key Ways to Incorporate Security Protection into your Organization’s Mobile...
 
Transforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsTransforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending Apps
 
Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?Application Hackers Have A Handbook. Why Shouldn't You?
Application Hackers Have A Handbook. Why Shouldn't You?
 
How to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS AppsHow to Test Security and Vulnerability of Your Android and iOS Apps
How to Test Security and Vulnerability of Your Android and iOS Apps
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Mobile app testing
Mobile app testingMobile app testing
Mobile app testing
 

Recently uploaded

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Bringing Government and Enterprise Security Controls to the Android Endpoint

  • 1. Optio is a subsidiary of Allied Minds, an innovative U.S. science and technology development and commercialization company. Operating since 2006, Allied Minds forms, funds, manages and builds products and businesses based on innovative technologies developed at leading U.S. universities and federal research institutions. Allied Minds serves as a diversified holding company that supports its businesses and product development with capital, central management and shared services. More information about the Boston-based company can be found at www.alliedminds.com. Bringing Enterprise and Government Security Controls to the Android Endpoint March 2016 Dr. Hamilton Turner Senior Director of Engineering & Research
  • 2. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. About Me • Working with Android for ~7 years • Doctorate from Virginia Polytechnic with specialization in optimizing and securing mobile cloud computing systems • Senior Director of Engineering and Research – Responsible for all research initiatives – Advisor on engineering initiatives in a planning and software quality control standpoint – Lead software developer on multiple projects 2
  • 3. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Presentation Overview • How should a smartphone be secured? • How are smartphones being secured? • Why are security controls on smartphones lagging behind security controls on laptops? • Our approach to improving Android security 3
  • 4. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. 6 How should a smartphone be secured? Android is a huge, complex codebase – Changing code adds bugs – Changing code is costly – Too many code modifications will eventually cause project failure Automation helps, but… – Often it just helps you break more in less time
  • 5. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Common Enterprise Smartphone Controls • App wrapping – Proxy all app communication through a ‘security’ layer • Containerization – Create one ‘secure sandbox’ shared by all enterprise apps • Device administration APIs – Ask system to enforce security for you • Mobile Device Management – A collection of these technologies (not actually a security technology) 7
  • 6. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Application Wrapping 8 • Goal: Intercept every method call the application could use to interact with the system – Add a ‘decision’ to each – Choose to block/allow/modify each interaction • No system modifications Non-wrapped Android Apps
  • 7. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Application Wrapping 9 • Goal: Intercept every method call the application could use to interact with the system – Add a ‘decision’ to each – Choose to block/allow/modify each interaction • No system modifications Wrapped Android Apps
  • 8. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Application Wrapping 10 • Large maintenance burden – Every single version – of every single app – must be wrapped • “Escaping” is fairly easy – Exec / Java Reflection – Unprotected NDK interfaces – Symbolic links in filesystem – Internal components e.g. web views • ‘Security feature’ is inside the sandbox – app can modify! • Offers no protection inside the OS – Once data leaves sandbox, it’s gone
  • 9. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Containerization • Natural extension of app wrapping – Most solutions today operate in app sandbox – Notable exceptions are Android For Work-based implementations • Adds some shared information into the wrapping logic – Security keys for data de/encryption – Policy decision-making across entire phone – User accounts, single-sign on, etc 11
  • 10. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Containerization • Natural extension of app wrapping – Inherits concerns about: • Large maintenance overhead • Escaping security is fairly easy • Security is not independent from apps being secured • Increased maintenance overhead – Every version of every app must be wrapped with the correct container version • Improvement: Does offer some protection from leaky OS 12
  • 11. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Device Administration APIs • Too simple to cover many use cases – password length – screen lock – require encrypted filesystem • No app-specific protections – Once app is installed to ‘managed’ phone, it has full access to managed data • No protection from misbehaving system 13
  • 12. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. 14 How should a smartphone be secured? Android is a huge, complex codebase – Changing code adds bugs – Changing code is costly – Too many code modifications will eventually cause project failure Automation helps, but… – Often it just helps you break more in less time
  • 13. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. 15 How are smartphones being secured? Device Admin API App Wrapping Containerization
  • 14. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Existing Smartphone Controls • Large market opportunity and multiple competing solutions, but existing solutions are all limited – Not as reliable as traditional laptop controls – Not as powerful – Not as user-friendly • Why? – Android systems are designed from the bottom-up to have excellent inter-application communication, and it is widely used 16
  • 15. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Data Flows: Android versus Laptop • Data flow on a laptop is strongly tied to the original application – E.g. very few apps on the system understand “powerpoint” files • Data passing between apps goes through the system in a well-understood format – E.g. files • Very few applications “cross-talk” – E.g. the browser can download files for you, but it cannot specifically pass Spotify a message to “favorite this file I am downloading” 17
  • 16. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Data Flows: Android versus Laptop • Data on a mobile tends to ‘disperse’ – Android is designed to pass information and commands app- to-app – Multiple 3rd-party apps have built entire command/data pathways • E.g. http://www.openintents.org/, custom URL schemes (whatsapp://), standard filesystem on shared external storage • Data passing between apps goes through the system in many formats – “Standardized” Intents, non-standard intents, filesystem, network sockets, parent process sharing, broadcasts, content providers, tunneled data inside other formats • Most applications “cross-talk” – Almost every application can “share” to a large number of other apps – With a few lines of code, apps can send data via Bluetooth, email, sms, clipboard, QR code, and multiple well-known network apps 18
  • 17. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Data flows inside Android • Even inside the OS • Protecting app-to-app communication is not enough! – Must protect against leaks inside the system 19
  • 18. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. How should Android be secured? • Intersection points of ‘few code changes’ and ‘big impact’ – Network access – Disk access – Inter-process communication • The first two are already addressed • The underlying IPC system on Android is pervasively used – By app-to-app communication – By app-to-system communication – By system-to-system communication • Adding security to this mechanism is a win! 20
  • 19. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. 21 Benefits of securing Android IPC • Extremely powerful modification – Almost all inter-application communication – Huge portion of communication between Android and apps • Completely invisible to existing code • Very small impact on existing codebase – No new bugs being introduced • Resistant to future changes OptioCore
  • 20. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. Example: Stagefright via MMS • Vector originates in system • Some MMS apps were vulnerable, some were not – Auto-download MMS settings • By blocking the dangerous IPC to vulnerable apps, we – Prevent the immediate threat – Buy reaction time for an OTA – Protect users from a bug in the system itself 22 SMS RIL MediaServer OMX
  • 21. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. OptioCore
  • 22. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. OptioInsight o Deep visibility into security threats o Cross-platform security analytics o Rapid, actionable threat response o Agile security policy management o Enterprise user management o Security reporting
  • 23. CONFIDENTIAL. ALL RIGHTS RESERVED. Optio is a subsidiary of Allied Minds, an innovative U.S. science and technology development and commercialization company. Operating since 2006, Allied Minds forms, funds, manages and builds products and businesses based on innovative technologies developed at leading U.S. universities and federal research institutions. Allied Minds serves as a diversified holding company that supports its businesses and product development with capital, central management and shared services. More information about the Boston-based company can be found at www.alliedminds.com. Thanks! Come visit OptioLabs in Booth #5145
  • 24. CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED. OptioLabs Company OptioLabs is a security insight platform for the mobile enterprise. Mission Secure the mobile enterprise with solutions that adapt to threats in real time.